PFSENSE breaks VPN after Upgarde
-
I got several VPN IPSEC towards Siphos XF Firewall.
They worked like a charm until I upgraded to 21.02.2-RELEASE and subsequent patch p1PFsense stop processing IPsec, if it found TCP connection over VPN , packet will be dropped after 20 seconds.
just to be more clear :
2 site- A with workstation WA and WB ( managed by Sophos XG )
- B with workstation WC (Managed By PFSENSE )
VPN always Up, no problem for rekey and so on ..
SPI aligned and so on ...WA -> pinging WC
and
WB -> pinging WCWB -> start TCP session to WC ( for example ssh )
after about 20 seconds ( just login to ssh and get remote prompt )
WA -> Pinging WC like a charm
WB -> NOT able to ping WC anymore, nor othe desktop on site B
All traffic from WB is neither visible through ENC interfaceI can reproduce it at anytime
very strange
If I restart VPN , traffic start to flow again until from WB I start a tcp connection towards WC
I
any help would be appriciatePS: Open a ticket to Sophos Support, they didn't found any problem
PS1: dump traiffc on pfsense fro proto 50 on wan interface I got ESP packet with right SPI but that packet ( if it were processed ) didn't appera on enc0 interface not, on any other -
@filoips I'm wondering if I am having the same problem you're describing. I maintain an IPSec tunnel to another endpoint for file sharing mostly. I don't use it frequently, so I can't say exactly when this problem occurred, but I haven't been able to figure it out quite yet.
I have a standard IPSec Tunnel from networks A and B.
Network B is a network I don't have management control over, so I only have knowledge of my end.On my network, I can restart the tunnel and it stays connected with no problems. Both the P1 and P2 seem to be connecting and maintaining the connections properly.
I can ping the server on Network B from any systems on Network A and get responses. As soon as I attempt a CIFS connection from Network A to the file server on Network B, I can sometimes get enough data through to load the directory structure before the link becomes unresponsive.
In some cases I can't even get a directory listing from the CIFS connection, in others I can get the main directory listing before it becomes unresponsive, and rarely I can get a sub directory listing and then it will become unresponsive. I've not been able to do more than that.
The tunnel still shows connected, but CIFS connections timeout and I get no replies from pings with systems on Network A to Network B.
I've tried CIFS connections from multiple computers on Network A with the same result.
I can either reconnect the P2 entry to reset everything, or if I wait an undetermined amount of time, I can come back and get ping responses from the server on Network B.
Would you think this sounds similar to the connectivity issues you are having? I don't have a way to check for other TCP connections other than the CIFS connection going out. This link used to work without issues, though.
If not, I'll start up a new topic.
-
@filoips I continued doing some research and found a (temporary) solution. Apparently something broke with the hardware encryption in the latest release.
Here is a good read: https://forum.netgate.com/topic/161354/ipsec-packet-loss-routing-issue-with-21-02-release
I tried 2 options, first was to change hardware encryption to use QAT from the AES-NI. That seemed to get my connection a little more stable. I was able to go to a few more directories before it became unresponsive.
Then I changed to none to completely disable hardware encryption. Rebooted pfsense to unload the module, and now I have a stable and working connection again with no loss in connectivity.
Hopefully that helps and hopefully the next release will fix whatever was broken.
-
@sgnoc I think same issue, very strange problem, today I'm goign to change Algo and then try to disable hardware encryption.
I know new firmware is planned on june ( 21.05 ), but from release notes there is any reference for this issue
-
@sgnoc I moved to OLD Style Algo
3des-md5-dh2
and vpn start to be stable
I know they are week algo ... :-( -
Go for 21.05 the Hardware crypto Problems are solved.
https://forum.netgate.com/topic/164159/pfsense-plus-21-05-release-now-available -
Thanks for the heads up on the update @NOCling
Just got the upgrade in and reconfigured the AES-NI and everything seems to be working again. The AES-NI is confirmed to be back on and my IPSec tunnles are working at optimum speeds again. Seems to be fixed for my purposes anyway.
Hope it resolves any issues for everyone else!